This detection rule identifies the creation of scheduled tasks on a Windows system from a remote source using the Remote Procedure Call (RPC). Scheduled tasks represent a mechanism for automation and can be exploited for maintaining persistence by adversaries, making this behavior noteworthy for potential lateral movement within a network. The rule utilizes Elastic Query Language (EQL) to capture relevant Windows log events, specifically tracking instances where a scheduled task is created, while also analyzing the locality of the RPC call and the process ID involved. Findings from related tasks and further investigation into the context of these creations—such as software installations or administrative activities—are emphasized to accurately assess potential threats. False positives are a risk due to legitimate uses of scheduled tasks, thereby necessitating careful review of each event's context to determine if further action is warranted. The rule integrates with various index patterns, aligning with established MITRE ATT&CK techniques for lateral movement and task scheduling execution, while providing a comprehensive framework for investigation and remediation.